This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

HttpOnly cookies and Spring Security

Jul 5th, 2012, 03:44 PM

Hello,

We have a Spring MVC app that uses Spring Security and has been in production for about a year and a half with no issues (running on JBoss 5.1). Recently, our IT department has made a change to JBoss's context.xml file, adding the following to the <context> element:

Code:

<SessionCookie secure="true" httpOnly="true"/>

Since that change, we are still able to hit our login page and, after logging in, we are redirected to our main page. The problem seems to be that, after the main page is loaded, an AJAX call is made to the server to retrieve data and the response from that call is the HTML for the login page (as opposed to the data from our database). It seems as though the AJAX request is being made and the controller is trying to redirect back to the login page.

I thought this might be related to the fact that the addition of the above <SessionCookie> line causes a jsessionid to be appended to the URLs so, I added a

Code:

disable-url-rewriting="true

attribute to the security-config.xml file...that didn't work, we were not able to log on at all.

I then removed all of the Spring Security-related lines out of our web.xml, bypassing the security entirely, and that worked...we were able to get to our main page, which made its AJAX call and returned the expected data.

So, any ideas as to how I can get Spring Security and JBoss's HttpOnly cookies to work together?

It might be that I interpret the secure property not correctly (and not sure if Spring Security is already updated for that), but the cookie with the sessionId will be send over a secure connection only, so it might be that due to the fact that one makes an http call that the sessionId isn't available.